b'Audit of FDIC\xe2\x80\x99s Public Key Infrastructure Certificate Policy and Extranet Certification\nPractice Statement\n\n(Report No. 04-024, July 2, 2004)\n\nSummary\n\nPKI is a set of policies, processes, hardware, and software that enables secure and private\ncommunication. The Certificate Policy (CP) defines the high-level PKI standards and\nrequirements and the Certification Practice Statement (CPS) describes the detailed practices that\nimplement the CP. The Federal Bridge Certification Authority (FBCA), which became\noperational in June 2001, provides the technical infrastructure, and appropriate security policies\nand procedures to ensure that members follow common PKI security practices in order to cross-\ncertify with the FBCA. As a pre-requisite for cross-certification with the FBCA, applicant\norganizations are required to engage a qualified independent third party to perform a compliance\naudit of their CP and CPS.\n\nThis audit was requested by the former Acting Director, Division of Information Resources\nManagement (DIRM), in support of the FDIC\xe2\x80\x99s ongoing effort to cross-certify its Extranet PKI\nService with the FBCA. The objective of the audit was to determine whether (1) the FDIC\xe2\x80\x99s\nCertificate Policy complies with the requirements defined in the FBCA\xe2\x80\x99s Certificate Policy for\nachieving the basic level of assurance and (2) the Extranet Certification Practice Statement is\nconsistent with the FDIC\xe2\x80\x99s Certificate Policy.\n\nThe OIG concluded that in general, the FDIC\xe2\x80\x99s Certificate Policy complied with the\nrequirements defined in the FBCA\xe2\x80\x99s Certificate Policy for achieving the basic level of assurance.\nHowever, we are recommending that DIRM take additional actions to improve the CP and CPS.\n\nRecommendations\n\nThe OIG recommended DIRM clarify the Certification Practice Statement and performing\nquality assurance and legal sufficiency reviews of the PKI policy and practice statements to\nensure that these documents accurately reflect the current environment and provide definitive\nguidance.\n\nManagement Response\n\nDIRM\xe2\x80\x99s response adequately addresses the recommendations.\n\nThis report addresses issues associated with information security. Accordingly, we have\nnot made, nor do we intend to make, public release of the specific contents of the report.\n\x0c'